Magic Quadrant for Application Security Testing 2023
Gartner Magic Quadrant: Application Security Testing 2023
Please visit the original link: https://sysin.org/blog/gartner-magic-quadrant-ast-2023/ to view the latest version. Original works, please keep the source for reprinting.
Author home page: sysin.org
Gartner Magic Quadrant: Application Security Testing 2023
Magic Quadrant for Application Security Testing
Posted on May 17, 2023
Magic Quadrant
Modern application design, shift to cloud, and accelerated adoption of DevSecOps are expanding the scope of the AST market. By integrating and automating AST across the software lifecycle, security and risk management leaders can meet tighter deadlines and test more complex applications.
Market Definition/Description:
This document was revised on May 19, 2023. For more information, see the corrections page on gartner.com .
Gartner's view of the market focuses on transformational technologies or approaches to meet the future needs of end users. It was not as focused on the market as it is today.
Gartner defines the application security testing (AST) market as buyers and sellers of products and services designed to analyze and test application security vulnerabilities. This market is highly dynamic and continues to experience rapid evolution in response to changing application architectures and supporting technologies.
In this analysis and vendor evaluation, we continue to pay greater attention to emerging technologies and methodologies, and AST tools to meet the new requirements they bring. Overall, the market includes tools that provide core testing capabilities—for example, static, dynamic, and interactive testing; software composition analysis (SCA); and a variety of optional specialized capabilities.
AST tools are available as both a software-as-a-service (SaaS)-based subscription offering and, to a lesser extent, on-premises software. Many vendors offer both options. Core functionality provides basic testing functionality, and most organizations use one or more types, including:
- Static AST (SAST): Analyzes an application's source code, bytecode, or binary code for security vulnerabilities, usually during the programming and/or testing phases. in the software development life cycle (SDLC)
- Software Composition Analysis (SCA): Much less frequently used to identify open source and commercial components used in an application. From this, known security vulnerabilities, potential licensing issues, and operational risks can be identified.
Optional features provide a more specialized form of testing, often supplementing core capabilities based on an organization's application portfolio or application security program maturity. They include:
-
API Testing: APIs have become an important part of modern applications (for example, single-page or mobile applications), but traditional AST toolsets may not be able to test them comprehensively, thus requiring specialized tools and capabilities. Typical capabilities include the ability to discover APIs and test API source code in development and production environments, as well as the ability to ingest recorded traffic or API definitions to support testing of running APIs.
-
Application Security Posture Management (ASPM): ASPM continuously manages application risk through the detection, correlation and prioritization of security issues across the SDLC from development to deployment. They take data from multiple sources, then correlate and analyze their findings for easier interpretation, classification and remediation. They act as a management and orchestration layer for security tools, supporting control and enforcement of security policies. By providing a consolidated view of application security findings, ASPM tools help manage and remediate individual findings while providing a consolidated view of the security and risk status of an entire application or system.
-
Container Security: Container security scanning examines container images, or fully instantiated containers prior to deployment, for security issues. Container security tools focus on a variety of tasks, including configuration hardening and vulnerability assessment tasks. The tool also scans for secrets, such as hardcoded credentials or authentication keys. Container security scanning tools can be run as part of the application deployment process, or integrated with container repositories, so security assessments can be performed while images are being stored for future use.
-
Developer Support: Developer support tools and features support developers and engineering team members in their efforts to create secure code. These tools focus primarily on security training and vulnerability remediation guidance, and can be used standalone or integrated into a development environment.
-
Dynamic AST (DAST): DAST analyzes an application in a running (ie, dynamic) state during the test and operational phases. DAST simulates an attack against an application (typically a web-enabled application, but also increasingly an application programming interface [API]), analyzes the application's response, and determines whether it is vulnerable.
-
Fuzz testing: Fuzz testing relies on providing random, malformed, or unexpected inputs to a program to identify potential security vulnerabilities—for example, application crashes or misbehavior, memory leaks or buffer overflows, or leaving a program in an undefined state. Other results of the status. Fuzzing, sometimes called non-deterministic testing, can be used for most types of programs, although it is especially useful for systems that rely on extensive input processing (eg, web applications and services, APIs).
-
Infrastructure as Code (IaC) Testing: Gartner defines IaC as the creation, provisioning, and configuration of software-defined computing (SDC), networking, and storage infrastructure as source code. IaC security testing tools help ensure compliance with common configuration hardening standards, identify security issues related to specific operating environments, locate embedded secrets, and perform other tests that support specific organization standards and compliance requirements.
-
Interactive AST (IAST): IAST tools launch and instrument a running application (for example, through the Java Virtual Machine [JVM] or .NET Common Language Runtime [CLR]) and examine its operation to identify vulnerabilities. Most IAST implementations are considered reactive because they rely on other application tests to create activities that the IAST tool then evaluates.
-
Mobile AST (MAST): This addresses the special requirements associated with testing mobile applications, such as those running on devices using iOS, Android, or other operating systems. These tools typically use traditional testing methods such as SAST and DAST optimized to support languages and frameworks commonly used to develop mobile and/or Internet of Things (IoT) applications. They also test for vulnerabilities and security issues unique to these environments.
-
Software Supply Chain Security (SSCS):
Capabilities designed to identify and manage risks associated with the software supply chain. They may include:
- Proactively analyze software from external sources (open source or commercial) to identify components that may pose unacceptable risks (eg, poorly maintained projects, inadequate security controls, presence of malware or malicious code, etc.).
- Create and manage artifacts that enable software users to assess the security of software produced by an organization (such as a software bill of materials [SBOM] or application security attestation).
- integrity to prevent direct attacks on the development process. Secure source code and other development or deployment artifacts and the underlying systems used to generate them
Gartner observes that the growth of the AST market is largely driven by the need to support enterprise DevSecOps and cloud-native application initiatives. Customers want products that deliver high-reliability, high-value discoveries without unnecessarily slowing down development efforts. Customers expect products to be baked into the development process at an early stage, and testing is often driven by developers rather than security experts. Therefore, this market assessment focuses on the needs of buyers, including support for fast and accurate testing of various application types, and the ability to integrate into software delivery workflows with increasing levels of automation.
Leaders :
- Synopsys
- Checkmarx
- Veracode
- OpenText(原 Micro Focus)
Challengers : see picture
Visionaries : see picture
Niche Players : see picture
View the full report (available for a limited time): https://sysin.org/blog/gartner-magic-quadrant-ast-2023/
how to choose
Position technology players within a specific market.
Who are the competitive players in the key technology market? How can they help you in the long run? A Gartner Magic Quadrant is the pinnacle research for a specific market that provides a broad understanding of the relative position (sysin) of the market's competitors. Using a graphical approach and a unified set of evaluation criteria, the Magic Quadrant helps you quickly determine how well a technology provider is executing on its stated vision and understand its performance against Gartner's view of the market.
How to use the Gartner Magic Quadrant?
When considering technology providers for specific investment opportunities, use Gartner's Magic Quadrant as a first step.
Remember that focusing on the leader quadrant is not necessarily the best course of action. There are good reasons to consider market challengers. Niche players may suit your needs better than market leaders. It all depends on how the provider aligns with your business goals.
How does the Gartner Magic Quadrant work?
In the face of many markets with rapid growth and obvious provider differentiation, the Gartner Magic Quadrant graphically divides four types of providers:
- The leader executes the current vision (sysin) well and is well prepared for the future
- Visionaries know where the market is going, or have visions to change the rules of the market, but the execution is not satisfactory.
- Niche players successfully focus on a small market segment, or have unclear goals, and fail to out-innovate and outperform competitors.
- Challengers are currently doing well, or may dominate most segments, but have shown no understanding of the market's direction.
Try Leader Products
Leaders :
- Synopsys (SAST, DAST, SCA & IAST): None
- Checkmarx (SAST): Checkmarx SAST 9.5 for Windows - Source Code Scanning (Static Application Security Testing)
- Veracode (SAST, DAST, SCA & IAST): None
- OpenText (SAST, DAST, SCA): Fortify Static Code Analyzer 22.2.2 for macOS, Linux & Windows - Static Application Security Testing [OpenText acquired Micro Focus in January 2023]
- Snyk (new to the list): None
Challengers :
- HCL Software (SAST, DAST, IAST, and SCA): HCL AppScan Standard v10.2.0 (Windows) - Application Security Testing
- Github
- Gitlab